Overview

overview

10

Static

static

purchase o...df.exe

windows7_x64

10

purchase o...df.exe

windows10_x64

10

Analysis

  • max time kernel
    40s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-06-2021 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    purchase order.pdf.exe

  • Size

    1.4MB

  • MD5

    9765acf7509b0800d88d96a629c0cc24

  • SHA1

    41ca7dd1724c8a4f880c6c9094debdf3796c3c51

  • SHA256

    a222f23b44ac7af5cbac74e3f60643e232ed63d8a79162d58084f5fcce5dfd52

  • SHA512

    c13cfc90c81b4d22389854d5514cc6f2f4e37cec6205c52e2cf40373345963f62bb76650bcf7d67813382cb2e5aa5e88c44b2ea3d1c527a5b1d61546fc2f74a6

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://63.141.228.141/32.php/3V16BrI6suXPx

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HZJUoSTieh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E49.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3928
    • C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe
      "{path}"
      2⤵
        PID:1308
      • C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe
        "{path}"
        2⤵
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        PID:1068

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9E49.tmp
      MD5

      4e12c3ade6ddbcd886a7505731c10d44

      SHA1

      4797ed935fc36bc484dd3027790387db6f42943e

      SHA256

      5fa44d5def3855dfe7e62592607a8ee293df2098f464b9b5eb8e0ab4ddb5a593

      SHA512

      e3882b77003f5e3738f4a6c50eed501f015c89a460737dbfc5e0a1de3b212028f9320b498a73e1bbe635862cc99bb7d8dbe5ad3203167d7d427db06bf71d85cc

      Download Submit
    • memory/1068-128-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1068-127-0x00000000004139DE-mapping.dmp
      Download
    • memory/1068-126-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/3908-121-0x0000000007560000-0x0000000007562000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3908-120-0x00000000070E0000-0x00000000070E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3908-114-0x0000000000120000-0x0000000000121000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3908-122-0x0000000008EF0000-0x0000000008F56000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3908-123-0x0000000004540000-0x000000000455D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/3908-119-0x0000000007330000-0x0000000007331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3908-118-0x0000000007430000-0x0000000007431000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3908-117-0x0000000007390000-0x0000000007391000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3908-116-0x00000000077F0000-0x00000000077F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3928-124-0x0000000000000000-mapping.dmp
      Download